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Abstract. In this paper we present the first practical attack on the 
shifted conjugacy-based authentication protocol proposed by P. Dehornoy 
in [5]. We discuss the weaknesses of that primitive and propose ways to 
improve the protocol. 



1. Introduction 



Let B n be the group of braids on n strands given by its standard Artin 
presentation 
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and let be the group of braids on infinitely many strands generated 
by an infinite family {o"i,o"2, . . .} subject to the same relations. There are 
several normal forms available for elements of B n , e.g., Garside normal form 
[6l Chapter 9], or the Birman-Ko-Lee normal form [lj. For the purposes of 
this paper it is convenient to define the length of an element x £ B n to be 
the length of its Garside normal form and denote it by |^|a„- 

over the group alphabet of B^ define a 
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For a braid word w 
braid word 

d(w) =a h+1 ...u ik+1 . 

The mapping w i— > d(w) induces a monomorphism of B^ and is referred to 
as a shift operator. Now, for braids a, b € B^ define a braid a * b by 

(1) a*b = a ■ d(b) ■ o\ ■ d{aT x ). 



The operator * : B^ x B^ — > B^ is called the shifted conjugacy operator. 

The Dehornoy authentication protocol is the following sequence of steps. 
First, Alice prepares her public and private keys. She randomly chooses 
elements s,p € B n , and computes p' = s * p. The element s is called her 
private key (to be kept secret) and the pair (p,p') is called her public key (to 
be published) . 

The protocol is a Fiat-Shamir-style [7] authentication protocol in which 
a single round of the protocol is performed as follows: 

A. Alice chooses a random r € B n and sends a pair (x, x') (called the 
commitment) to Bob, where x = r * p and x' = r * p' . 

l 
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B. Bob chooses a random bit b (called the challenge) and sends it to 
Alice: 

0) If b = then Alice sends y = r to Bob, and Bob checks that 
the equalities x = y * p and x' = y * p' are satisfied. 

1) If b = 1 then Alice sends y = r * s to Bob, and Bob checks that 
the equality x' = y * x is satisfied. 

Noting that u* (v *w) = (u* v) * (u* w), it is straightforward to check that 
a correct answer y to a challenge leads to a successful check. 

To break the system it is sufficient to find any s' € B n satisfying s'*p = p'. 
Hence the security of this protocol is, in particular, based on the difficulty 
of the Shifted Conjugacy Search Problem (ShCSP) which is the following 
algorithmic question: 

For a pair of braids p, p' € -Boo find a braid s G such that 
p' = s * p (provided that such s exists) . 

Similarly one can formulate the Shifted Conjugacy Decision Problem (ShCDP): 

For a pair of braids p,p' G determine if there exists a 
braid s £ B^ such that p' = s * p. 

These problems first appeared in [5] and were not explored enough to give a 
precise answer about their time complexity or even decidability (for the de- 
cision problem). Despite the resemblance to the conjugacy decision problem 
(CDP) which is decidable and suspected to have polynomial-time solution 
(see [2], [3]), it is not clear if ShCDP is solvable. 

It is not discussed in Dehornoy's original paper [5] how to generate public 
and private keys, the author just proposes a primitive and provides some 
intuition on why the primitive might be hard. In this paper we use the easiest 
method of key generation: keys are chosen uniformly from the ambient free 
group and then considered as words in the braid group. 

1) Fix the rank of the braid group n. It is an important parameter in 
the scheme, efficiency of all the operations depends on it. 

2) Fix numbers L and K, the key lengths. These numbers are the main 
security parameters. (In all our experiments L = K.) 

3) Pick randomly and uniformly a braid word p (resp. s) from the set 
of all braid words of length L (resp. K.) 

4) Finally, compute p' = s * p. 

To summarize the results of our work: 

A. Even though it seems unlikely that ShCSP can be deterministically 
reduced to CSP we argue that ShCSP can be reduced to CSP gener- 
ically (for most of the inputs) and present the reduction. 

B. We present the results of actual experiments. The following table 
shows the percentage of success in our experiment. The number of 
successes where the result was equal to the original key is in brackets. 
For instance, if the key length is 100 and the platform group is B^ 
then, using our attack, in 24% of cases we recovered an element 
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s € B n such that p' = s * p and hence broke the protocol. In 10% 
of the cases the obtained element was equal to the original s € B n 
generated by Alice. 



Key length, K = L 


100 


400 


800 




100(100) 


100(100) 


100(100) 


Bao 


24(10) 


99(99) 


92(92) 


Bso 


2(0) 


47(39) 


92(92) 



Table 1. Success rate in our experiments. 



C. We analyze the results and make several recommendations on how 
to generate hard instances of ShCSP. 

The paper is organized as follows. In Section [2] we describe our heuristic 
algorithm and argue that it works for most inputs. In Section [3] we present 
more detailed results of experiments (than in the table above), discuss the 
reasons for success/failure, and make suggestions on the generation of hard 
keys. 

All the algorithms described in this paper are available at [4]. 

2. The attack 

In this section we present the mathematical background for the attack. 
For n 6 N define braids 

&n = O'n-l ■ ■ ■ °lj 
A n = (<7 n _i . . . <Ti) • (<7 n _i . . . cr 2 ) • . . . • (<7 n _i). 

It is easy to check that for any i = 1, . . . , n — 1 the following equality holds 
in B n+1 : 

(2) 5~ +1 <Ti5 n+ i =B n+1 Vi+i = d(ai). 

Proposition 2.1. Let p,p',s E B n . Then s satisfies the shifted conjugacy 
equation for p and p' 

(3) p' =B n+1 s*p, 

if and only if it satisfies the conjugacy equation for jJ6~ +1 and d(p)aiS~} l 

(4) p'Kli =B n+1 s ■ d(p)ax5-l x ■ s-\ 
Proof. Follows from ([2]). 

□ 

Proposition 2.2. Let p,p',s £ B n be braids satisfying p' =B n+1 s *p, and 
let s' G B n+1 . Then 

P' S nli =B n+1 s' ■ d{p)a l 5- l +l ■ s'- 1 ^ s'- l s € C Bn+1 (d^atS'^) 

where Cb„ +1 (d(p)ai5~^ rl ) denotes the centralizer of d{p)a\8~^ in B n+ \. 
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Proof. Obvious. 

□ 

Now, it follows from Propositions 12.11 and 12.21 that the ShCSP can be 
solved in two steps: 

(51) Find a solution s' G B n+ i of the equation p'S~}^ =B n+1 s' •d(j>)(7\8~} 1 - 
s'~ . This can be done using the ultra summit set technique invented 
in 0. 

(52) "Correct" the element s' G B n +\ to obtain a solution s G B n of 
([3]), i.e., find a suitable element c G Cs n+1 (d(p)o"i<5~, x ) such that 
t = s'c G i? n satisfies ©. We refer to this step as a centralizer 
attack. 

The description of ultra summit sets is out of the scope of our paper, so 
we omit details on step (SI). Step (S2) requires some elaboration. To be 
able to work with elements of C = Cb u+1 (d(p)ai5~^_ 1 ) efficiently we need 
to describe C in some convenient way, for instance, by providing a set of 
generators. Hence, step (S2) itself consists of two smaller steps: capturing 
C and finding the required element c G C. 

The only known algorithm [10] for computing a generating set for a cen- 
tralizer reduces to the construction of so-called super summit sets, the size 
of which is not known to be polynomially-bounded, and which is usually 
hard in practice. Hence, the approach of describing the whole generating 
set does not seem feasible. Instead, we can work with the subgroup of 
Cb u+ i [d{p)ai5~] rl ) considered in Proposition 12.31 For p G B n define braids: 

ci = A£ +1 , c 2 = d(p)a2 1 ■ ■ ■ o-" 1 , c 3 = cri . . . o 2 n o n -x • • • o-i, 

and 

C 4 = Cj" 1 , C 5 = C^ 1 , C 6 = C3 1 . 

Proposition 2.3. Let p G B n and C = CB n+1 (d(p)ai5~^_ l ) . The following 
holds: 

• ci,c 2 ,c 3 G C, 

• C = (ci, 02,03) is an abelian subgroup of B n+ i and, hence, has 
polynomial growth. 

Proof. Observe that the equality 

d (p)Mn+i =B n+1 d{p)a^ 1 ...a' 1 

holds in B n+ \ and the element d(p)a 2 ~ 1 ■ ■ ■ cr^ 1 involves generators 02, ■ ■ ■ , o~ n 
only. It is intuitively obvious that 02 commutes with C3 when you observe 
that in the braid diagram for C3 none of strands 2 to n cross over. Further- 
more, c\ generates the center of B n+ \. Thus, the subgroup C is abelian. 

□ 

Now, having fixed the subgroup C = (01,02,03) we can describe the 
heuristic procedure for finding the required c G C . For any braid t G B n 
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define 

l t = \p>-\t*p)\ An+1 

and observe that t = s'c satisfies t*p = p' if and only if It = and the value 
of It can be used to guide our heuristic search, the smaller k the "closer" t 
to the actual solution. 

We summarize the ideas of this section into an heuristic algorithm (Algo- 
rithm [23]) which for a pair of braids p,p' £ B n attempts to find s € B n such 
that p' =b„ +1 s *p. The algorithm starts out by finding a solution s' to the 
conjugacy equation (|4]). It keeps two sets: S (elements in working) and M 
(worked out elements) of pairs (i, It) where t € B n+ \ is a possible solution 
and It = \p'~ l {t *p)|a„ + i • Initially, we have S = {(s', l s ')}, where s' is found 
in step (SI) and l s i = |p /_1 (s' *p)|a„ + i- On each iteration we choose a pair 
(t,lt) from S with the smallest value It (the "fittest" one). If It = then 
t is a solution. If It ^ then compute new possible solutions ij = tc{ and 
add corresponding pairs (UJn) into S. After all (tiJa) are added to 5 the 
current pair (t, It) becomes worked out. 

Algorithm 2.4. (Heuristic algorithm for solving ShCSP) 
Input: Braids p,p' G B n . 

Output: A braid s e B n such that p' =3^ s *p. 
Computation: 

A. Using the ultra summit set technique compute s' € B n+ \ satisfying 
p'Sn+i =B n+ i s' ■ d(p)a 1 5-l 1 ■ s'- 1 . 

B. Put S = (s', |p'~V*p)|a„ +1 ) and M = 0. 

C. Until a solution is found: 

1. Choose a pair (t, It) from S with the smallest It- 

2. If It = then output t. 

3. Otherwise for each i = 1, . . . , 6 

(i) Compute U = t ■ a and l u = {p'^iU *p)\A i+1 

(ii) If (ti, Zj.) belongs neither to S nor to M then add it into 
S. 

4. Remove the current pair (t, It) from S and add it into M. 

3. Experimental results 

Algorithm 12.41 always produces the correct answer when it halts, though 
it does not always stop. There are two possible reasons for a failure. 

1) Failure on step A. The precise complexity of the ultra summit set 
algorithm is not known, though it is proved that for certain classes 
of braids it is polynomial. But even if it is polynomial, the degree of 
a polynomial can be too large to be used in practical computations. 

2) Failure in the loop C. There are two possible reasons for this. The 
first reason is that we use a subgroup C of C = CB„ +l (d(p)ai8~} 1 ) 
which can be a proper subgroup and it might not contain the required 
element. 
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The second reason is that the heuristic based on the length 
p)|a w+1 might be bad. 

To test the efficiency of the algorithm we performed a series of experiments 
in which we limited the time allowed for each part: 1 hour for step A and 15 
minutes for step C on a personal computer (CPU 2.66 GHz). The percentage 
of success in experiments for different parameters is shown in Table [TJ Below 
we present detailed information on each step of computations. 

Recall that in step A we solve the conjugacy search problem for braids 
p'$n+i an d d(p) a i-^n+i m Bn+l- The percentage of failure on step A is 
shown in Table O We see that the shorter the length of the key p relative 
to the rank of the braid group the harder it becomes to solve the conjugacy 
search problem. We cannot explain this phenomenon, the method of ultra 
summit sets is very difficult to analyze. We suspect that the reason for such 
behavior is that shorter words are less likely to be rigid (expose free-like 
behavior when cycling.) 



Key length 


100 


400 


800 


-Bio 


of 100 (0.00%) 


of 100 (0.00%) 


of 100 (0.00%) 




9 of 100 (9.00%) 


of 100 (0.00%) 


1 of 100 (0.00%) 




59 of 100 (59.00%) 


12 of 100 (12.00%) 


6 of 100 (6.00%) 



Table 2. Failure on step A 



The percentage of failure in loop C of Algorithm 12.41 given that step A 
was successfully completed, is shown in Table [3l Essentially, we see the same 
pattern of failure as in the solution of the conjugacy problem in Table [2j 
The shorter the length of the key relative to the rank of the braid group the 
harder it is to find a suitable element of the centralizer. These results are 
easier to explain. Basically the shorter the key the bigger the centralizer. 
Hence, for shorter elements it is more likely that C is a proper subgroup 
of C = Cb„ +1 (d(p)ai6~ +1 ) and less likely that C actually contains the 
required element c. 



Key length 


100 


400 


800 


-Bio 


of 100 (0.00%) 


of 100 (0.00%) 


of 100 (0.00%) 


-B40 


67 of 91 (73.62%) 


1 of 100 (1.00%) 


7 of 99 (7.07%) 


-^80 


39 of 41 (95.12%) 


41 of 88 (46.59%) 


2 of 94 (2.12%) 



Table 3. Failure in loop C 



4. Conclusions 

In this section we discuss methods of key generation invulnerable to the 
attack proposed in Section [2j Recall that the success of the attack relies on 
two properties of braids p, p': 
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(1) the conjugacy search problem is easy for the pair (p'5 n+l , d(p)ai5 n+1 ) 
in B n+ i; 

(2) the centralizer Cb u+1 {d{p)a\5~] rl ) is "small" (isomorphic to an Abelian 
group of small rank.) 

If either of the two properties above is not satisfied then the attack is likely 
to fail. Even though there is no known polynomial time algorithm solving 
CSP for braids, recent developments of [2] and [3] suggest that CSP might 
be easy for generic braids (pseudo-Anosov type) and it might be difficult to 
randomly construct hard instances for CSP. Though there is no proof yet 
that the pseudo-Anosov type of braids is generic it is a common belief that 
this is so. Another interesting recent development is [12] where the authors 
present a few braids with very large ultra summit sets. 

The only part which can be controlled is the growth and structure of 
the centralizer C. As we mentioned above the only known algorithm for 
computing a generating set for a centralizer reduces to construction of super 
summit sets which is not known to be polynomially hard and is usually very 
inefficient practically. We can choose p so that C(d(p)a\5^ 1 ) is a large 
non- Abelian group. For more on the structure of centralizers see For 
ideas on how to generate elements with large centralizers see |13| . 
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